Bug 52683

Summary: add a symlink option that rechecks the access permission with the resolved symlink
Product: Apache httpd-2 Reporter: Christoph Anton Mitterer <calestyo>
Component: CoreAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: enhancement    
Priority: P2    
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Christoph Anton Mitterer 2012-02-16 15:50:56 UTC

The Options directive provides currently two parameters to allow following symbolic links.
Both are rather dangerous in that the (more or less) just allow the access, without checking any <Directory>/<File> (+ their regexp variants) blocks again.

So even if I have
<Diretory />
  Order allow, deny
  Deny from all

Access to e.g. /etc/shadow is granted if there's a directory the contains a symlink to this and hast symlinks allowed.

Now one can always argue, that it's the users fault if such things happens, but even the sysadmin can accidentally create symlinks that endanger somehow security and he doesn't notice this immediately.

As this is a long years deficiency of Apache I suggest adding a third symlink argument to the Options directive, which enables followin symlinks, but first resolves them (i.e. what readlink -f does) and checks the resulting file against all access directives.

As this is probably slower, that other two options deserve to stay in place, for those who are happy enough with them.